Shibboleth Developers

[Chad La Joie <>]

Reimer Karlsen-Masur, DFN-CERT wrote:
> > > Is there always a https tunnel with (strong) encryption between these
> > > parties anyway?
> > Nope, not in the case where there are intermediate systems between the
> > IdP and SP.
>
> I was under the impression that Shib IdP and SP (and their components AAR
> and shibd) were always talking directly to each other (once the part with
> the WAYF server involvement was over). How is an architecture setup that has
> one or more intermediate systems between IdP and SP? Are there any proxies
> or loadbalancer between them? Or can this only happen if one is not using
> the Internet2 implementation of Shibboleth?

To date, it's true.  The SP and IdP do talk directly to each other.  In 
the SAML2 profile document take a look at the Enhanced Client/Proxy 
profile.  Realistically you probably wouldn't need encryption in this 
case because it's assumed that the enhanced client is something you, the 
user, own and we're not trying to protect you from yourself.  It does 
serve as an example of a N-party flow, where N=3, though.  There are 
many more, much more complex, situations dealing with various proxy and 
N-Tier use cases as well.

We're currently in the process of developing an implementation of this 
profile here at GU for a client/server project we're working on.  So 
it's not in Shib yet, but you might be seeing it as an extension to Shib 
2.0.

--
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124